Share this story

Over the past decade, Bluetooth has become almost the default way for billions of devices to exchange data over short distances, allowing PCs and tablets to transfer audio to speakers and phones to zap pictures to nearby computers. Now, researchers have devised an attack that uses the wireless technology to hack a wide range of devices, including those running Android, Linux, and, until a patch became available in July, Windows.

BlueBorne, as the researchers have dubbed their attack, is notable for its unusual reach and effectiveness. Virtually any Android, Linux, or Windows device that hasn't been recently patched and has Bluetooth turned on can be compromised by an attacking device within 32 feet. It doesn't require device users to click on any links, connect to a rogue Bluetooth device, or take any other action, short of leaving Bluetooth on. The exploit process is generally very fast, requiring no more than 10 seconds to complete, and it works even when the targeted device is already connected to another Bluetooth-enabled device.

"Just by having Bluetooth on, we can get malicious code on your device," Nadir Izrael, CTO and cofounder of security firm Armis, told Ars. "BlueBorne abuses the fact that when Bluetooth is on, all of these devices are always listening for connections."

Patch now, if you haven't already

Microsoft patched the vulnerabilities in July during the company's regularly scheduled Patch Tuesday. Company officials, however, didn't disclose the patch or the underlying vulnerabilities at the time. A Microsoft representative said Windows Phone was never vulnerable. Google, meanwhile, provided device manufacturers with a patch last month. It plans to make the patch available starting today for users of the Pixel XL and other Google-branded phones, but if past security bulletins are any guide, it may take weeks before over-the-air fixes are available to all users. Izrael said he expects Linux maintainers to release a fix soon. Apple's iOS prior to version 10 was also vulnerable.

The attack is most potent against Android and Linux devices, because the Bluetooth implementations in both operating systems are vulnerable to memory corruption exploits that execute virtually any code of the hacker's choosing. The Bluetooth functionality in both OSes also runs with high system privileges, allowing the resulting infection to access sensitive system resources and survive multiple reboots.

Surprisingly, the majority of Linux devices on the market today don't use address space layout randomization or similar protections to lessen the damage of BlueBorne's underlying buffer overflow exploit, Armis Head of Research Ben Seri said. That makes the code-execution attack on that OS "highly reliable." Android, by contrast, does use ASLR, but Armis was able to bypass the protection by exploiting a separate vulnerability in the Android implementation of Bluetooth that leaks memory locations where key processes are running. BlueBorne also massages Android memory in a way that further lessens the protection offered by ASLR. The result: Blueborne can carry out remote code-execution attacks on both OSes that are both stealthy and reliable.

Armis researchers haven't confirmed that code execution is possible against Windows' unpatched Bluetooth implementation, but they were able to carry out other attacks. The most significant one allows hackers to intercept all network traffic sent to and from the targeted Windows computer and to modify that data at will. That means attackers could use BlueBorne to bypass personal and corporate firewalls and exfiltrate sensitive data and possibly modify or otherwise tamper with it while it's in transit. The Android implementation is vulnerable to the same attack.

The following three videos demonstrate the attacks against Android, Linux, and Windows respectively:

BlueBorne—Android Take Over Demo.

Linux Take Over Demo.

BlueBorne - Windows MiTM Demo.

In all, Armis researchers uncovered eight Bluetooth-related vulnerabilities in Android, Linux, Windows, and iOS. The researchers consider three of the flaws to be critical. The researchers reported them to Google, Microsoft, and Apple in April and to Linux Maintainers in August. All parties agreed to keep the findings confidential until today's coordinated disclosure. The vulnerabilities for Android are indexed as CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785; the vulnerabilities for Linux are CVE-2017-1000251 and CVE-2017-1000250; the vulnerability for Windows is CVE-2017-8628; the designation for iOS vulnerability wasn't immediately available.

Up until now, Bluetooth has been notable for the dearth of critical vulnerabilities found in the specification or in its many implementations, with Armis being aware of only one code-execution flaw, in Windows, one that Microsoft fixed in 2011. The Armis researchers, however, said they believe there are likely many more overlooked critical bugs that remain to be found.

Further Reading

The vulnerabilities are coming to light a few months after two independent reports—one in April from Google's Project Zero and the other in July from Exodus Intelligence—exposed similarly critical vulnerabilities in Wi-Fi chips manufactured by Broadcom. They, too, allowed attacks that were transmitted wirelessly from device to device with no user interaction.

Typical of most proof-of-concept exploits, the BlueBorne attacks demonstrated in the videos are relatively simple. With more work, Armis researchers said they could probably develop a self-replicating worm that would spread from a single device to other nearby devices that had Bluetooth turned on, and from there those devices would infect other nearby devices in a chain reaction. Such self-replicating exploits could quickly take over huge numbers of devices at conferences, sporting events, or in work places. It has never been a bad idea to keep Bluetooth turned off by default and to turn it on only when needed—at least on Android phones, the large percentage of which still broadcast privacy-compromising MAC addresses for anyone within radio range to view. The vulnerabilities reported by Armis now reinforce the wisdom of that advice.

Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits, told Ars such a worm might be hard to pull off because exploits would have to be customized for the hardware and operating system of each Bluetooth-enabled device. He also downplayed the likelihood of active BlueBorne attacks, noting that there's no indication either of the Broadcom chip vulnerabilities has ever been exploited in the wild.

Izrael confirmed that BlueBorne exploits would have to be customized for each platform but said the amount of work required to do so would be manageable. The Android exploit Armis has developed, for instance, already works on both a Pixel and Nexus phones.

"Any further customization for Android-based devices would be a very simple task," he said. What's more: "An attacker that would want to weaponize these exploits could achieve generic exploits with very little work."

This is as bad as it gets. There are a huge number of vulnerable devices, a large fraction of which never will be patched.

On the other hand, I have a Samsung Galaxy S5 with a broken screen (and thus unable to enter the pin) that I didn't want to get repaired and some pictures I would like to save from it. Perfect weekend project.

It's too bad some people have to keep Bluetooth enabled to use their headphones...

Also that many people have phones that are outside the very short security update window but are otherwise perfectly functional, and therefore not replaced except by those who are particularly security conscious.

Re Android, while Google is undertaking initiatives to mitigate the Android update problem, the OEMs and carriers as usual are far too laissez faire.

Sadly, it's not enough that such vulnerabilities are discovered. It's likely going to take a massive infection of the entire Android ecosystem. An extinction level event that will finally insinuate the Android update problem into the zeitgeist such that non-geeks start paying attention and begin questioning the viability of that platform. When that happens then lots of Android users will start moving to Apple (the only real alternative). Android may survive as a platform but it will suffer mightily.

Just like the recent hurricanes. People see hurricanes but don't care much if they aren't personally affected even if they live in vulnerable areas. Having lived for many years in both Houston and South Florida, both hurricane magnets, I learned long long ago to care and be prepared.

So is this only a vulnerability against phones and "workstations" (pc/mac/linux laptop/desktop) or does it also affect cars too as so many cars are just rolling computers?

If Blueborne can infect a Linux-powered watch, as demonstrated in one of the videos, there's no obvious reason why it couldn't infect cars.

Is that really the case?Most cars are just a big rolling bluetooth speaker/mic.

I doubt my wireless headphones run a full bluetooth/system/OS/kernel stack. Why would a car's audio system do that?

Actually, they probably do up to a point. The chipset makers (Broadcom etc) usually just have a few mega-functional chips that companies just throw onto their boards and then only use the parts that are needed. You'd be surprised how much unnecessary code is running on the chips in your devices creating security issues, while you don't actually make use of any of the features.

This is a good reminder that updating Play Store services isn't necessarily enough to keep devices secure. I've seen a number of people insisting Android is more secure than one would assume even without OS update and while that may well be true, oftentimes there's no replacement for updating core OS services.

Because the current version of iOS has been out for a year and is not vulnerable, and because the uniformity of the device base leads to the majority of iOS devices quickly updating to the latest release. Android has a much more significant installed base of devices that are at least one, and sometimes many revisions back from current, and will never be updated.

I switch back and forth between iOS and Android periodically, but last year when I switched back to an iPhone I have to say it was the lack of commitment to updates from Android that drove a large part of my choice. That and a number of high profile vulnerabilities that underline the risk from carriers who don't care to bother passing along updates.

Great now android will probably lock down bluetooth in the next version like they did the SD card.

A poster corrected me and stated you can use a SD as internal storage but I found out that the phone mfg has the option to disable that. Than I looked at all my stock phones and sure as heck the option to reformat my card as internal storage is not there. I seriously believe this will be the same way. Patch for now, than android will 'break' bluetooth, than fix it but let the phone mfg's opt out of allowing you to use the fixed feature. It's probably just an issue for me because I don't spend over $150 on a phone (really I spend less than $100, more recently it's been 75 or less) but I feel i represent the low end (poor) phone user on prepaid plans.

I'm curious what the status of iOS or even macOS are. They explicitly mention iOS in their video as being vulnerable, and that is repeated in this article, but they have no demonstration or further info on it.

Bluetooth is enabled by default on iOS, and is needed for not only the obvious stuff but also for features like AirDrop. So there's a lot of iPhones and iPads with Bluetooth on.

From the article:

Quote:

Apple's iOS prior to version 10 was also vulnerable.

Given high adoption rate of new iOS versions, that should mean 90% of iOS devices still in use are already patched.

Not sure about macOS but Apple typically patches similar vulnerabilities in both at the same time. Easy to do, since they're both based on the same core...

It's too bad the solution for ~90% of Android phones is going to be "throw it away and buy a new phone".

I want to like Android, I want it to be a viable alternative to iOS, but the lack of reliable system updates from OEMs is crippling for this very reason.

Buy a Pixel or Nokia. I'm not saying that as a way of brushing aside the problem with security updates in the Android ecosystem, but until OEMs see their bad security practices affect their bottom line, they won't care.

I'll also echo those that lament the loss of a 3.5mm jack. A wire doesn't have security problems.

It's too bad the solution for ~90% of Android phones is going to be "throw it away and buy a new phone".

I want to like Android, I want it to be a viable alternative to iOS, but the lack of reliable system updates from OEMs is crippling for this very reason.

IDK flagship phones seem to be getting better. My Note 4, on Verizon (who slow everything down) is on the July 2017 security release so I expect I'll have the patch in a few weeks. It would be better if I had the security patch at the same time as the Pixel obviously, but it's not like some of my previous phones which were just abandoned after the first major OS update.